More often than not, today’s malware is distributed via the web – executable files are becoming less of a problem. Also, the G DATA security experts were able to identify a particular trend in the first half of the year that targets users’ computers.
Like the IT industry in general, the development of current malware families and their use is subject to strong fluctuations. This also shows in the latest analyses from the G DATA SecurityLabs: Nine of the ten most common malware threats for PC users from the past year were no longer among the top 10 threats of the first half of 2018. The attacks are also launched more often from websites and not only via executable files, like in the past.
“Traditionally, malware has been spread mainly through executable files. However, we see a significant increase in web-based attacks, some of which require no files at all,” says Ralf Benzmüller, Executive Speaker of G DATA SecurityLabs. “Attacks via macros in office documents are also common and encourage users to interact. The ever faster development cycles of malware mean that users can only be comprehensively protected with proactive technologies from the G DATA SecurityLabs”.
Some statistics collected by G DATA Security Labs
The following figures are based on statistics collected by the G DATA SecurityLabs. Information is being compiled through the Malware Information Initiative (MII), where G DATA customers can voluntarily transmit statistical data to the company about identified and averted threats. This allows for a more accurate analysis of current samples with respect to currently active threats.
Cryptojacking dominated 2018 so far
Cryptojacking – the surrepticious mining of crypto currencies, usually Monero – had a special significance in the first half of the year. Especially in the first quarter of this year, cryptominers were hidden on numerous websites. Those websites download scripts to the user’s computer and then cause a high processor load. In some cases, however, the mining functions can also be found in executable files such as the game Abstractism that was provided through Steam – for more details on this, you can read our blog article “Abstractism: Cryptomining game removed from Steam Store”.
It is not always clear whether or not users have consented to such actions beforehand. Therefore, G DATA partly classifies cryptomining as malware, especially if the intention is clearly malicious. In some cases, cryptominers are classified as a “Potentially Unwanted Program” (PUP). There are three coin miners among the top 10 malware threats, and four among the top 10 PUP detections.
Technically significant: More and more often, malware uses lesser-known Windows system functions to execute malicious commands with command line scripts. For example, the G DATA security researchers were able to use the heuristic detection of Voiv malware-samples to block numerous attacks that use “scheduled tasks” in Windows to make changes to the system. The malware disguises itself by claiming to be a browser-related process. Depending on the variant, they execute different types of code through scripting engines – for example, they do this to update the malware itself or to load additional malware modules.
Chronic security problems
Also known as a chronic security problem is Adobe’s Flash plugin. A vulnerability from 2017 (CVE-2017-3077) ranked seventh in the Top 10 of averted threats among G DATA users. Here, a manipulated image in PNG format is used to insert malicious code into a user’s computer and exploit the vulnerabilities. Once such a bridgehead has been created for the attack, further malicious code can be reloaded. G DATA advises you to stop using Adobe’s Flash Player and uninstall it. If you can’t manage to live without it, you should always install updates immediately, as soon as they become available.
Ranking in a #4 and #8 are generic malware detections that disguise themselves as cracked versions of games. Malware authors often hide their malware in games. This tendency is not limited just to Windows computers. Especially on Android, games for children are a focus of fraudsters. G DATA recently warned against fake versions of the Fortnite app for Android in a blog article .
Many Potentially Unwanted Programs (PUP), in addition to the Monero miners, come in the shape of applications that manipulate browser settings of the users without being asked – for example, they change the set start page or the preset search engine or install annoying toolbars. “Open Candy” and the “Mindspark”-Framework, which are mainly hidden in freeware-installers, have been known for this type of behavior for years. These are still being spread and recognized by the G DATA security solutions. It is interesting that software which is classified as a PUP, such as Win32.Application.DownloadGuide.T, now also recognizes virtual machines and tries to avoid detection by antivirus programs by displaying a less aggressive behavior in case it runs on a virtual machine.
Prevented attacks are slightly declining
The number of overall reports on prevented attacks in the past six months were slightly lower than in the previous year. In the second quarter of 2018 in particular, the figures reported were lower than before.
The statistics also show that the malware situation varies greatly from country to country. Most prevented malware and PUP infections were reported from Turkey in the first half of 2018, well ahead of second-placed Israel. In Turkey, G DATA security solutions have primarily prevented infections with well-known tools for cracking Microsoft software. Germany is in the middle of the field when it comes to prevented threats.
The development of new types of malware also declined slightly in the first half of the year compared with the previous year. In total, G DATA SecurityLabs has classified 2,396,830 new samples as harmful. On average, about 13,000 new malware samples were detected every day, i.e. about 9 per minute. Benzmüller comments on the figures: “We expect the number of new malware types to increase slightly again in the second half of the year. It will probably not be a record year. But the individual attacks are becoming more and more sophisticated and targeted.”